Sometimes, changes introduced in a new release have side-effects
we cannot reasonably avoid, or they expose
bugs somewhere else. This section documents issues we are aware of. Please also
read the errata, the relevant packages' documentation, bug reports and other
information mentioned in Section 6.1, “Further reading”.

5.1. Upgrade specific items for Stretch

This section covers items related to the upgrade from
Jessie to Stretch

5.1.2. Deprecated components for Stretch

With the next release of Debian 10 (codenamed
Buster) some features will be deprecated. Users
will need to migrate to other alternatives to prevent
trouble when updating to 10.

This includes the following features:

TODO: Add items if any

5.1.3. Things to do post upgrade before rebooting

When apt-get dist-upgrade has finished, the “formal” upgrade
is complete, but there are some other things that should be taken care of
before the next reboot.

add list of items here

5.2. Limitations in security support

There are some packages where Debian cannot promise to provide
minimal backports for security issues. These are covered in the
following subsections.

Note that the package debian-security-support helps to track
security support status of installed packages.

5.2.1. Security status of web browsers

Debian 9 includes several browser engines which are
affected by a steady stream of security vulnerabilities. The
high rate of vulnerabilities and partial lack of upstream
support in the form of long term branches make it very difficult
to support these browsers with backported security fixes.
Additionally, library interdependencies make it impossible to
update to newer upstream releases. Therefore, browsers built
upon the webkit, qtwebkit and khtml engines are included in
Stretch, but not covered by security support. These
browsers should not be used against untrusted websites.

For general web browser use we recommend Iceweasel or Chromium.

Chromium - while built upon the Webkit codebase - is a leaf
package, which will be kept up-to-date by rebuilding the current
Chromium releases for stable. Iceweasel and Icedove will also
be kept up-to-date by rebuilding the current ESR releases for
stable.

5.2.2. Lack of security support for the ecosystem around libv8 and
Node.js

The Node.js platform is built on top of libv8-3.14, which experiences a high
volume of security issues, but there are currently no volunteers
within the project or the security team sufficiently interested
and willing to spend the large amount of time required to stem
those incoming issues.

Unfortunately, this means that libv8-3.14, nodejs, and the associated node-*
package ecosystem should not currently be used with untrusted
content, such as unsanitized data from the Internet.

In addition, these packages will not receive any security
updates during the lifetime of the Stretch release.

5.3. Package specific issues

In most cases, packages should upgrade smoothly between
Jessie and Stretch. There are a small number of
cases where some intervention may be required, either before or
during the upgrade; these are detailed below on a per-package
basis.

5.3.1. Older ciphers and SSH1 protocol disabled in OpenSSH by default

The OpenSSH 7 release has disabled some older ciphers and the SSH1
protocol by default. Please be careful when upgrading machines,
where you only have SSH access.

5.3.2. Possible backwards incompatible changes to APT

This section covers some of the incompatible changes to APT that
may affect your system.

5.3.2.1. APT now fetches files with an unprivileged user ("_apt")

APT will now attempt to discard all root privileges before
fetching files from mirrors. APT can detect some common cases
where this will fail and fallback to fetching things as root
with a warning. However, it may fail to detect some exotic
setups (e.g. uid-specific firewall rules).

If you experience issues with this feature, please change to
the "_apt" user and check that it:

has read access to files in
/var/lib/apt/lists and
/var/cache/apt/archives.

has read access to the APT trust store
(/etc/apt/trusted.gpg and
/etc/apt/trusted.gpg.d/)

5.3.2.2. New requirements for APT repository

This section only applies if you have (or intend to use)
third-party repositories enabled or if you maintain an APT
repositories.

To improve the download stability and ensure security of the
downloaded content, APT now requires the following from an
APT repository:

The InRelease file must be available

All metadata must include at least SHA256 checksums of all
items. This includes the gpg signature of the InRelease
file.

Signatures on the InRelease file should be done with a key
at the size of 2048 bit or larger.

If you rely on a third-party repository that cannot comply
with the above, please urge them to upgrade their repository.
More information about the InRelease file can be found on the
Debian
Wikipedia.

5.3.3. The Xorg server is no longer setuid root by default

Note

This change only applies if your X Display Manager supports
running X as rootless (or if you start X manually via
startx). Currently the only known display
manager supporting this is gdm. Other display managers simply
start X as root regardless of this change.

This reduces the risk of privilege escalation via bugs in the X
server. However, it has some requirements for working:

When run as a regular user, the Xorg log will be available from
~/.local/share/xorg/.

If these requirements are not possible, please install the
xserver-xorg-legacy
package to reinstate the setuid Xorg.

5.3.4. Upstart removed

Due to the lack of upstream maintainers,
the Upstart init system has been removed from Stretch.
If your system relies on this package, you should note that it will not be updated
during the lifetime of Debian 9,
and starting from Debian 10 (Buster),
upstart jobs could be removed from packages.

Please consider switching to a supported init system, like systemd or openrc.